Vulnerabilities > CVE-2017-2815 - XXE vulnerability in Igniterealtime User Import Export 2.6.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
PARTIAL Summary
An exploitable XML entity injection vulnerability exists in OpenFire User Import Export Plugin 2.6.0. A specially crafted web request can cause the retrieval of arbitrary files or denial of service. An authenticated attacker can send a crafted web request to trigger this vulnerability.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Seebug
| bulletinFamily | exploit |
| description | ### Summary An exploitable XML entity injection vulnerability exists in OpenFire User Import Export Plugin 2.6.0. A specially crafted web request can cause the retrieval of arbitrary files or denial of service. An authenticated attacker can send a crafted web request to trigger this vulnerability. ### Tested Versions OpenFire User Import Export Plugin 2.6.0 ### Product URLs https://www.igniterealtime.org/projects/openfire/plugins/userImportExport.jar ### CVSSv3 Score 8.1 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H ### CWE CWE-611: Improper Restriction of XML External Entity Reference ('XXE') ### Details The User Import Export Plugin is vulnerable to an XML External Entity injection attack. The application can be exploited via either Cross Site Request Forgery or if account with given credentials is compromised. This vulnerability may allow the retrieval of arbitrary files or the causing of a Denial of Service condition (by making the server read from a file such as `/dev/random`) External entities can also reference URLs, potentially allowing port scanning from the XML parser's host, or the retrieval of sensitive web content that would otherwise be inaccessible due to network topology and defenses. ### Mitigation Restrict access to known, trusted users and hosts. ### Timeline * 2017-03-06 - Vendor Disclosure * 2017-07-19 - Public Release ### CREDIT * Discovered by Jerzy Kramarz, Michail Sarantidis, Rafael Gil Larios, Giovani Cattani and Anton Garcia of Portcullis Computer Security Limited. |
| id | SSV:96466 |
| last seen | 2017-11-19 |
| modified | 2017-09-13 |
| published | 2017-09-13 |
| reporter | Root |
| title | Open Fire User Import Export Plugin XML External Entity Injection(CVE-2017-2815) |
Talos
| id | TALOS-2017-0316 |
| last seen | 2019-05-29 |
| published | 2017-07-19 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0316 |
| title | Open Fire User Import Export Plugin XML External Entity Injection |